[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Authenticating a custom channel while tracking upstream
|
From: |
Felix Lechner |
|
Subject: |
Authenticating a custom channel while tracking upstream |
|
Date: |
Sun, 7 May 2023 15:51:41 -0700 |
Hi,
Is the current scheme of authenticating Git checkouts [1] really
compatible with the free software guidelines we hold so dear?
Here is my dilemma: I would like to deploy an experimental version of
Guix by following the advice so kindly offered here [2] but hesitate
to compromise on security. I cannot figure out how to add my own key
[3] to the in-repo file .guix-authorizations [4] without asking an
approved upstream committer to sign that commit in my own repository.
The way I see it, such a shim transaction would also prevent me from
tracking further upstream changes in my own branch because the shim
would have to be rebased continually.
I believe users should be able to extend the trust roots. Could we
perhaps expand the present mechanism to merge the trusted keys from
all channels? That would presumably include my own. Thanks!
Kind regards
Felix
[1] https://guix.gnu.org/blog/2020/securing-updates/
[2] https://lists.gnu.org/archive/html/guix-devel/2023-05/msg00021.html
[3] https://codeberg.org/lechner/juix/src/branch/history/.guix-authorizations
[4] https://git.savannah.gnu.org/cgit/guix.git/tree/.guix-authorizations
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Authenticating a custom channel while tracking upstream,
Felix Lechner <=